Restrict messages to authorized addresses or domains
You can allow email messages to be sent to and received from specific addresses or domains that you authorize.
By default, users with Gmail accounts at your domain can exchange messages with any other email address. However, in some cases, you might want to restrict the addresses your users can exchange messages with. For example, a school might want to allow its students to exchange messages with the faculty and other students, but not with people outside of the school.
While users receive only authenticated messages from listed domains, users who attempt to send messages to a domain not listed will see a message that specifies a policy prohibiting messages to that address, confirming that the message is unsent. Messages sent from unlisted domains—or messages from listed domains that can't be verified using DomainKeys Identified Mail (DKIM) or Sender Policy Framework (SPF) records—are returned to the sender with a message about the policy.
Note: To allow internal messages between users within your organization (the set of domains associated with your company or school), you must check the Bypass this setting for internal messages box.
Similar to other email security settings, the email delivery restrictions apply to all users in the organizational unit. Users in child organizations inherit the restrictions.
Because you can set up multiple lists when configuring your email settings, you can set up different delivery restriction policies for different organizations. Users can exchange messages without restriction if they belong to organizations where a Restrict delivery setting isn't added (and assuming other settings haven't been added, such as the Blocked senders setting).
You can also restrict chat messages to users within your own domain. Learn more about sharing options.
Configure Restrict delivery settings for your domain or organization:
- Sign in to the Google Admin console.
- From the dashboard, go to Apps > G Suite > Gmail > Advanced settings.
- In the Organizations section, highlight your domain or the organization for which you want to configure settings. See Configure advanced settings for Gmail for more details.
- Scroll to the Restrict delivery section:
- If the status is Not configured yet, click Configure. The Add setting dialog box displays.
- If the status is Locally applied, click Edit to edit an existing setting (the Edit setting dialog box displays), or click Add another to add a new setting (the Add setting dialog box displays).
- If the status is Inherited, click View to view the inherited setting, or click Add another to add a new setting. The Add setting dialog box displays.
- Click Add setting or Save to close the dialog box.
Note: Any settings you add will be highlighted on the Advanced settings page.
- Click Save.
See the sections below for additional instructions and guidelines.Add addresses or domains that you want to allow
When you enter addresses or domain names, Gmail checks them against the From: part of the message header, not the envelope sender (or Return-Path section of the message header). Therefore, the From: sender must exactly match an address or domain you enter.
- Click Use existing or create a new one to add a list to the setting.
- Enter a name for the list in the Create new list: field, and click Create.
- Hover over the name of the list, and then click Edit.
- Click Add to add email addresses or domain names to the list.
- Enter email addresses or domain names, using a space or a comma to separate multiple entries.
- If the sending account doesn't have DKIM or SPF authentication, check the Do not require sender authentication box. If not checked, this sender's messages will still be rejected.
To see a sender’s authentication configuration, use the Check MX tool, available at https://toolbox.googleapps.com/apps/main/.
- Click Save.
Optionally, you can enter a customized rejection notice; for example, "Your email has been rejected because it violates organization policy."
To allow internal messages between users within your organization, check the Bypass this setting for internal messages box. The internal message must be authenticated (SPF/DKIM) for it to bypass the setting. Internal messages that aren't authenticated are rejected by this feature.
When you're finished, click Add setting, then Save. Any settings you add will be highlighted on the Advanced settings page.